Hi All,
First of all I'm very new to ELK etc.
I have 2 servers. One configured with the ELK stack:
Elasticsearch
Logstash
Kibana
Another server which is handling WEF (windows event forwarding).
All servers in this example are WIndows 2012 r2.
What I would like to do is is use this setup as proof of concept for building SIEM infrastructure for a project I'm currently working on.
I'm stuck at the Logstash part. From the reading the docs it appears that I have to configure Logstash to accept input from Winlogbeats.
I can't get my head around this part. I have the standard "simple" logstash.conf file per the docs and now I understand I need to add the entries for accepting (win log) beats information, but I'm not clear on the lines that I need to enter. Also according to netstat logstash isn't listening on port 5044. At point do I specify this?
I'm not finding the documentation clear on these points. My ultimate aim is to setup various beats on other servers, gather the data on Elasticsearch and use Kibana to visualise and dashboard.
Here's my config file (taken straight from the documentation)
input { stdin { } }
output {
elasticsearch { hosts => ["[IP address]:9200"] }
stdout { codec => rubydebug }
}
Here's the latest lines of errors from the Log:
[2018-06-22T10:58:08,310][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.3.0"}
[2018-06-22T10:58:08,482][INFO ][logstash.config.source.local.configpathloader] No config files found in path {:path=>"C:/ELK/logstash/bin/logstash.conf"}
[2018-06-22T10:58:08,498][ERROR][logstash.config.sourceloader] No configuration found in the configured sources.
[2018-06-22T10:58:09,170][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
I've not found a simple tutorial that explains how to set this up.
Apologies for the noob question but I am in fact a noob for Elastic!